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Abstract 

Budaghyan and Carlet [1] constructed a family of almost perfect nonlinear (APN) 
hexanomials over a field with r 2 elements, and with terms of degrees r + 1, s + 1, 
rs + 1, rs + r, rs + s, and r + s, where r = 2 m and s = 2™ with GCD(m, n) = 1. The 
construction requires a certain technical condition, which was verified empirically in a 
finite number of examples. Bracken, Tan, and Tan p] proved the condition holds when 
m = 2 or 4 (mod 6). In this article, we prove that the construction of Budaghyan and 
Carlet produces APN polynomials for all values of m and n. 

More generally, if GCD(m,n) = k > 1, Budaghyan and Carlet showed that the 
nonzero derivatives of the hexanomials are 2 fc -to-one maps from F r 2 to F r 2, provided 
the same technical condition holds. We prove their construction produces polynomials 
with this property for all m and n. 

1 Introduction 

If / is a function from F2™ to F2«, one can ask for the number of solutions to f{x + a) = 
f(x) + b, where a, b e ¥ 2 « and a is nonzero. Note that if x is one solution, then x + a is 
another, so the solutions come in pairs. The function / is said to be almost perfect nonlinear 
(APN) if there are always exactly zero or two solutions. The function f(x + a) + f(x) is called 
a derivative of /. An APN function is simply a function whose derivatives yield two-to-one 
maps on F2«. As pointed out by Carlet, Charpin, and Zinoviev [5], the APN property is 
equivalent to the property that a certain binary linear code defined in terms of / is double 
error-correcting. Construction of APN functions is a recurring theme in the literature; see 
0, [2], [7], and the survey article [6]. 

Let r = 2 m and s = 2 n , where m, n > 1. For d G F r 2 \ F n and c G F r 2, Budaghyan and 
Carlet [1] consider the hexanomial 

F(x) = x{x s + x r + cx rs ) + x s (c r x r + dx rs ) + x (s+1)r . (1) 

For any positive integer N, denote by /xjv the group of 7V-th roots of unity in the algebraic 
closure of F 2 . If M is odd, then hm has order M, and C if and only if M divides N. 
In particular, /i r+ i C /i r 2_i = F x 2 , where F x denotes the nonzero elements of a field F. 



Theorem 1 (Budaghyan and Carlet |4J). If y s+1 + cy s + c r y + 1 has no roots y 
belonging to // r +i, then all the derivatives of F are 2 k -to-l mappings from F r 2 to ¥ r 2, where 
k = GCD(m, n). (In particular, if k = 1, then F(x) is APN.) 

Let us say that the pair (r, s) is BC-compatible if c G F r 2 can be found satisfying the 
hypothesis of the theorem. We found an exact and surprisingly simple criterion for BC- 
compatibility: 

Theorem 2. The pair r = 2 m , s = 2 n is BC-compatible if and only if m > 1 and n/m is 
not an odd integer. 

Previously, it was known that (r, s) is BC-compatible only in some special cases. In [4] 
it was found empirically that (2 m , 2) is BC-compatible whenever 6 < 2m < 500 and 3 { m, 
and also in at least 140 of the 166 checked cases when 3 divides m. Later, Bracken, Tan, 
and Tan [1] proved that (r, s) is BC-compatible if m = 2 or 4 (mod 6) and GCD(m, n) = 1, 
and in particular the Budaghyan- Carlet APN hexanomials belong to an infinite family. All 
the cases in [4] and [T] satisfy that y s+1 + cy s + c r y + 1 has no roots in F r 2 . This condition 
is stronger than the required hypothesis, since /i r+ i C F r 2. 

Theorem 2 implies that if c is properly selected, then F(x) is APN whenever m > 1 and 
GCD(m,n) = 1. We will show that F(x) is APN when m — 1 also, so in fact the only 
requirement is GCD(m, n) = 1. More generally, we prove the following. 

Theorem 3. For all r = 2 m and s = 2 n , and for all d G F r 2 \ F r , a value c G F r 2 can be 
found such that all the nonzero derivatives of F(x) are 2 k -to-one mappings from F r 2 to ¥ r 2, 
where k = GCD(m, n). 

For another viewpoint on the APN hexanomials F(x), see Section 4.2.1], where it is 
shown that they belong to a family that is constructed using bent functions. 

2 Proof of Theorem 1 

For completeness, we present the proof by Budaghyan and Carlet of Theorem 1. As above, 
r = 2 m , s = 2™, d G F r 2 \ F r , and c G F r 2. Note that F r n F s = F u , where u = 2 k , 
k = GCD(m, n). Let F(x) be the hexanomial defined in ([1]). Assuming the hypothesis that 
ys+i _j_ C yS _|_ c ry _|_ j Yias no roots in fi r+ i, we are to show that for any nonzero a G F r 2 and 
any b G F r 2, the equation 

F(x) + F(x + a) = b 

has exactly zero solutions or exactly u solutions in F r 2. 

Denote the number of solutions by N(a,b). Let G a (x) = F(ax) + F(ax + a) + F(a). 
Then N(a, b) is the number of solutions in F r 2 to G a (x) = F(a) + b. We claim that G a is an 
F u -linear function. Accepting this for the moment, we see that proving N(a, b) G {0, u} is 
equivalent to showing that Ker(G a ) (considered as an F^-linear function on F r 2) has order 
u. We will in fact show Ker(G a ) = ¥ u . 

To see that G a is F u -linear, we note that the terms in F(ax) are of the form ax v+w or 
ax v , where a G F r 2 and v,w G {r, s,rs, 1} (all powers of u). Thus, G a is a sum of terms 



a(x v+w + (x + l) v+w + 1) = a(x v + x w ). This is F u -linear because v and w are powers of u. 
Note also that Ker(G a ) contains ¥ u , because x v + x w = x + x = for all x G F u . 

Now G a (x) = a s+1 (x+x s )+a r+l (x+x r )+ca rs+1 (x+x rs )+c r a r+s (x r +x s )+d 
a( s+1 ^ r (x rs + x r ). Suppose G a (xo) = with xq G F r 2. Then of course G a (xo) + G a (xo) r = 0. 
Using that x r Q = x , a r = a, c r = c, d r = d, we find that many terms in G a (xo) r cancel 
with terms in G a (x ). The result is 

= G a {x ) + G a (x ) r = (d + d r )a s+rs (x + x r y. 

Now d + d r 7^ since d £ F r , a s+rs ^ since a ^ 0. So we have rr + ^5 = 0- Returning 
to the original formula for G a and using the relation xq = Xq, we see that every term either 
vanishes or becomes a multiple of x + x^: 

= G a (x ) 

= (x + x s ) (a s+1 + ca rs+1 + c r a r+s + a (s+1)r ) 

= (x + x s )a s+1 {l + ca {r - l > + c r a r ~ l + a (s+1)(r - 1} ). 

Since a is nonzero, the term a s+l is nonzero. Since a r_1 belongs to /i r +i, the hypothesis 
of the theorem implies that 1 + ca^ r ~^ s + c r a r ~ l + a^ +1 ^ r_1 ) is nonzero. So we conclude 
that G a (^o) = implies = xo and x s Q = xo, i.e. xo G F r fl ¥ s = ¥ u . This proves that 
Ker(G a ) = ¥ u , as claimed. 

3 Proof of Theorem 2 

As above, let r = 2 m and s = 2 n , where m,n > 1. Let 

G(c,y) = y s+1 + cy s + c r y + l. 

The technical condition needed in Theorem 1 for the hexanomial F(x) to have desired prop- 
erties is that there exists c G F r 2 such that G(c,y) has no roots in /Vn- If sucn c exists, 
then we say that the pair (r, s) is BC-compatible. We first need a lemma. 

Lemma 1. r + 1 divides s + 1 if and only if n/m is an odd integer. 

Proof. First, suppose n/m = I is an odd integer, and we will show that r + 1 divides s + l. 
Since F 2 a C F 2 & if and only if a\b, and since 2m|2n, we see that F r 2 c F s 2. Since x G ¥^a 
if and only if the order of x divides 2° — 1, we see that /i r+ i C F r 2 and ji s+ i C F s 2. Let r 
denote the Frobenius map on F s 2 (given by squaring), p = r m , and a = r n = r m£ = p l . Note 
that p(a) = a r and a(a) = a s , for a G F s 2. Now 

p r+1 = {ze F s x 2 : p(z) = 1/z}, p s+l = {ze F s x 2 : a(z) = 1/z}. (2) 

Since £ is odd, we see that if z G /i r+ i then cr(^) = p l {z) = 1/z, and so z G Thus, 
/x r+ i C p-s+ii an d consequently r + 1 divides s + l. 



To prove the converse, suppose that r + 1 divides s + 1 and we will prove that n is an odd 
multiple of m. Let K r denote the subfield of the algebraic closure of F 2 that is generated by 
fi r+ i- We claim K r = F r 2. First, ji r+ i C fi r 2 -i — F f X 2, so K r C F r 2. Now F r 2 can be viewed 
as a vector space over K r . If the dimension is d, then r 2 = \K r \ d > (r + l) d > r d . So d — 1, 
and consequently = F r 2 as claimed. 

Since r + 1 divides s + 1, we have /v+i C so the field generated by /x r+ i is contained 
in the field generated by fi s +i- That is, F r 2 = F 2 2m c F s 2 = F 2 2n. It follows that m divides 
n, say n = tm. Let r, p, a be as above, and let 1 ^ z G /v+i- By — 1/z. Since 

a = //, and 2 ^ 1/z, we see that c(z) = 1/z if € is odd, and cr(z) = z ^ 1/z if £ is even. On 
the other hand, z G yU r+ i C (J, a +u so by (J2J), <t(z) — 1/z. Then £ must be odd. □ 

Now we prove our theorem. 
Theorem 2. Let r and s be arbitrary positive integral powers of two, and let 

G(c,y) = y s+1 + cy s + c r y + l. 

There exists c G F r 2 such that G(c, y) has no roots in fi r+ i if and only if r > 2 and r + 1 
does not divide s + 1. (By the lemma, these conditions on r and s are equivalent to m > 1 
and n/m is not an odd integer.) 

Proof. First let us show if r = 2 then G(c,y) has a root in /13 for any c G F4. If c G {0, 1} 
then G(c, 1) = 0. If c G F 4 \ F 2 then G(c, y) = for y = c G /X3. This establishes the result 
when r = 2. 

Now let us show if r + 1 divides s + 1 then for all c G F r 2, the polynomial G(c, y) has a 
root y G fi r +i- If c = 0, then G(c, 1) = 0. If c ^ 0, then set y = c^ r ^ r ~ 1 '. This belongs to 
/i r+ i, because ?/ r+1 = (c r / 2 ) r _1 = 1. Since r + 1 divides s + 1, we have y s+1 = 1, so 

G(c, y) = l + c /y + c r y + l = (c/y)(l + c^V) = (c/y)(l + c^ 1 ) = 0. 

For the remainder of the proof, assume r > 2 and r + 1 { s + 1. We must find c G F r 2 
such that G(c,y) has no roots y G p r +i- For y G /Vfi> let 

Ij = {a6 F r2 : G(a,y) = 0}. 

We are seeking c G F r 2 \ X, where 

X = Liy eflr + 1 Xy. 

Such c exists if and only if \X\ < r 2 . 

Since G(c, y) has degree r in the variable c, we have < r. This gives a bound: 

1*1 < E W^Kr+l). 

This bound is not good enough, as we need to show |X| < r 2 . To attain this, we must take 
into account that the sets X y are not disjoint. 



We consider separately the two cases: r + 1 divides s — 1, and r + 1 does not divide s — 1. 
If r + 1 divides s — 1, then for y G /i r+ i we have G(c, y) = y 2 + (c + c r )y + 1. It follows that 

G(c, 1/y) = y~ 2 + (c + c^y" 1 + 1 = y- 2 G(c, y), 

and so X y = X y -i. Consequently, X = UX y , where the union includes one representative 
among each pair {y, 1/y}. There are 1 + r/2 representatives, giving \X\ < r(l + r/2). Since 
r > 2 by hypothesis, this is less than r 2 , as required. 

Finally, we consider the case where r + 1 \ s + 1 and r + 1 \ s — 1. Observe that 
X 1 = {a G F r 2 : 1 + a + a r + 1 = 0} = F r . Also, observe that if y G /i r+ i then G(y, y) = 0, 
so y G X r Thus, Ii C 2 C I, where 

Z = F r U /U r+1 . 

It follows that 

X = Z U (U^^^iXj, \ Z) , 

and so 

I -XI < \Z\+ Yl \ X v\ Z \ 

= 2r+ ^ (|jg-|X y nZ|) 
< 2r+ (r-\X y nZ\) 
= 2r + r 2 - ^ |X y DZ|. 

!/e/ir+l,2/^l 

This leads to the inequality 

r 2 -|X|> ^ (|X w nZ|-2). (3) 

So to demonstrate that |X| < r 2 , it suffices to show that |X y fl Z\ > 2 for all y G /i r +i \ {1}, 
and \X y (1 Z\ > 2 for at least one y. We will do this by constructing some explicit elements 
of X y n Z. 

Two elements of X y fl Z are y and y~ s . These are in X y because for c = y, 
y s+1 + cy s + c r y + l = y s+1 + y s+1 + y r+l + 1 = 0, 

and for c = y~ s , 

y s+1 + cy s + c r y + l= y s+1 + 1 + y s+1 + 1 = 0. 

Note that y and y~ s are distinct if and only if y s+1 ^ 1. 

If y s_1 7^ 1 then we can obtain another element of X y fl Z by setting 

c = (y s+1 + l)/(y s + y). 



Here c G F r , because (using y r = 1/y) we have 

Cl = (y~(*+V + l)/(y- + y- 1 ) = (1 + y*+l)/(y + y°) = c . 

Also Co 6 Ij, because 

y s+1 + c y s + c r y + l = (y s+1 + 1) + c (y s + y) = 0. 

Since c G F r and F r D \i r +\ = {1}, we know c is distinct from y and y~ s . 
In summary, for y G /i r +i \ {1} we have: 

• If y s ~ l 7^ 1 and y s+1 ^ 1, then cq, y, and are distinct elements of X y fl Z. 

• If y s_1 7^ 1 but = 1, then Co and ?/ are distinct elements of X y fl Z. 

• If y 5 " 1 = 1 then y and y~ s are distinct elements of X y fl Z. 

We see that \X y (1 Z\ > 2 always. Moreover, when y is a primitive (r + l)th root of 
unity, then from the hypothesis that r + 1 does not divide s + 1 or s — 1, we will have that 
yS+i y anc [ yS-i so \x y n Z\ > 3. As noted above, this completes the demonstration 
that \X\ < r 2 , and completes the proof. □ 



4 Proof of Theorem 3 

Theorem 3 asserts that for r = 2 m and s = 2 n , and any choice of d G F r 2 \ F r , there always 
exists c G F r 2 such that the nonzero derivatives of the hexanomial F(x) given by ([1]) are 
2 fc -to-one mappings from F r 2 to F r 2, where k = GCD (m,n). Here we provide a proof. 

If m does not divide n, then (r, s) is BC-compatible by Theorem 2, so Theorem 3 holds. 
If m divides n, then the next lemma shows that any choice of c will work, so that Theorem 3 
again holds. 

Lemma 2. If m divides n (equivalently, F r C ¥ s ), then the nonzero derivatives of F(x) are 
r-to-one mappings from ¥ r 2 to F r 2, for any choice of c G F r 2 and d G F r 2 \ F r . 

Proof. For nonzero a G F r 2, let G a (x) = F(ax) + F(ax + a) + F(a). As explained in the 
proof of Theorem 1, it suffices to prove that G a has exactly r roots in F r 2. If x G F r 2 \F r , 
then using the relation x r Q = x$, we find that G a (xo) + G a (xo) r — (d + d r )a s+rs (xo + Xq) s . 
This is nonzero, therefore G a (xo) ^ 0. If x G F r , then using the relation x r = xq we find 
that G a {x ) = (x + x s )a s+1 (l + ca^" 1 ^ + c r a T ~ x + oS s ^ r ~^). Since i GF r C F s , we see 
that Xq + Xq = 0, and so G a (xo) = 0. This establishes that G a has exactly r roots in F r 2, as 
required. □ 
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